He Liangsheng of the State Cryptography Administration: Password is the cornerstone of building a network trust system

Trust is the public order and good customs of society, the basic element of human common values, the lubricant for the normal operation of human society, the cornerstone of the establishment of a good social order, and the social public resource that promotes the development of human society and economic prosperity. Nowadays, human society has entered the Internet age. The establishment and transmission of trust is a fundamental and key link to maintain the order of cyberspace and ensure the prosperity of the digital economy and social stability. The establishment of online trust has become the common value pursuit of various information networks and actors. It has become the consensus of the whole society to build a trust system in cyberspace with a good ecology. In the “Several Opinions on the Construction of the Network Trust System”, it is clearly stated that the network trust system refers to a complete system based on cryptographic technology to solve the problems of identity authentication, authorization management and responsibility determination in network applications. The support of passwords for the construction of the network trust system is mainly reflected in the three aspects of trust technology, management and service.

1. Cryptography is the basic support of network trust technology

Digital authentication technology based on modern cryptography technology is the safest, most effective, most economical, and most effective way to solve the problems of the authenticity of the identity of various network subjects, the credibility of network behavior, the integrity of network information content, and the confidentiality in network trust. The most reliable means. This is not only determined by the inherent security requirements of network trust, but also by the inherent basic security attributes of cryptographic technology. Modern cryptography can well provide encryption and authentication mechanism support for the network trust system. The most mainstream is the digital certificate authentication technology based on the public key cryptographic infrastructure (PKI) system. The core of digital certificate authentication technology is public key cryptography. According to the technical framework of PKI, the identity of network entities is authenticated by issuing public key cryptographic digital certificates for private key holders, thereby realizing the credibility of identities, data, and behaviors.

At present, domestic and foreign scientific research institutions and industries have proposed a large number of identity management solutions and standards based on public key cryptography. The core credentials (Token) of their identity authentication are also digital signature technology based on public key cryptography.

2. Password management is the basic support for network trust management

Network trust management is a key element to ensure that the network trust system can be constructed and run continuously, and that network trust services can effectively function. Its core is to confirm the legality and authority of network trust technology and services, and to ensure the integration of network trust services and functions. Regularity and effectiveness. The main purpose of network trust management is to supervise the qualified trust service providers and qualified trust services before, during and after the event, and to guide the trust service providers to carry out qualified trust services. The main task of network trust management is to be responsible for the construction of the network trust system, the formulation, implementation and supervision of the network trust service policy and strategy, to ensure the scientificity, effectiveness, and adaptability of the trust service strategy formulation, and the rationality of the implementation of the trust service strategy. Pertinence, feasibility, testing and evaluation of the achievement of service strategy goals, and advancing with the times to propose countermeasures and measures for optimizing and perfecting network trust technology and services.

Network trust management is mainly achieved based on laws and regulations, technical standards and network trust infrastructure related to network security. In our country, the core support and carrier of network trust management is password management. It can also be said that password management is the basic support of network trust management, which is mainly reflected in the following three aspects.

1. The password ensures the correctness of the network trust system

my country’s laws and regulations related to network security have clarified the legal status of Electronic authentication in the construction of network trust systems to ensure the correctness of the network trust system, especially the use of password authentication technology as the core of trust technology to realize the credibility of entity identities and information sources The network trust requirements of credibility, integrity and credibility of data, and credible network behavior have been widely recognized by extensive applications and legislation. Article 14 of the “Electronic Signature Law” promulgated and implemented in 2005 stipulates that reliable electronic signatures have the same legal effect as handwritten signatures or seals, establishing the legal effect of electronic signatures. In 2009, the Ministry of Industry and Information Technology promulgated the “Administrative Measures for Electronic Authentication Services” which clarified that electronic authentication services refer to the activities of providing authenticity and reliability verification for all parties involved in electronic signatures. The State Cryptography Administration issued the “Administrative Measures on Passwords for Electronic Authentication Services” and the “Administrative Measures on Electronic Authentication Services for E-government Affairs” to manage the establishment of e-government and electronic authentication service agencies, service development and matters related to electronic authentication passwords, effectively promoting the network Construction and management of certification system. The Cyber ​​Security Law, which was implemented in 2017, further clarified the goal of building a network trust system and supported the development of electronic authentication technology. Article 24 of the law stipulates that the country shall implement a network trusted identity strategy and support the research and development of secure and convenient electronic identities. Authentication technology promotes mutual recognition between different electronic identity authentication. Article 29 of the “Cryptography Law” implemented in 2020 stipulates that the national password management department shall identify institutions that use cryptographic technology to engage in e-government and electronic authentication services, and be responsible for the management of the use of electronic signatures and data messages in government activities in conjunction with relevant departments. , Clarified the statutory nature of passwords for electronic authentication services.

2. The password ensures the compliance of the network trust system

Strengthen the password use requirements in electronic authentication services to ensure the compliance of the network trust system. In particular, as the core of electronic authentication, the application of passwords in electronic authentication has been confirmed and regulated in national policies and special legislation. In recent years, the Office of the State Council has issued documents that emphasize the need to give full play to the supporting role of passwords in the construction of network trust systems and comprehensive network governance, and establish network entity identification, network identity management, network domain names, network contracts, network behavior analysis, network illegal evidence collection and traceability The cryptographic support system for other applications must firmly support social governance in the cyberspace era through cryptographic management and effective applications. The revised “E-Government Electronic Authentication Service Business Rules and Regulations” in 2019 puts forward the main content and requirements of electronic authentication service agencies using cryptographic technology to provide electronic authentication services through digital certificates; from service content, service quality, business operation specifications, etc. On the one hand, it clarified the key links and operating specifications in the electronic certification service process, clarified the related legal responsibilities and relationships of electronic certification services, and provided a basis for e-government and electronic certification capability assessment and supervision and inspection.

3. The password ensures the validity of the network trust system

Strengthen password detection and evaluation in electronic certification to ensure the effectiveness of the network trust system. In accordance with the requirements of the “Encryption Law” on strengthening in-process and post-event supervision and password application security assessment, strictly implement the relevant national password management regulations, and urge important network information system builders and operators to regulate the use of passwords, and provide for the establishment of a trust system in cyberspace Solid support. To adapt to the new changes in the cyberspace of the new era and the complex and changeable new conditions of global security, dynamic security, and trust relationships, we have carried out targeted password application security assessments on identity authentication systems and identity authentication infrastructure to ensure that passwords are compatible. Use it properly, correctly and effectively. Strengthen the “double random” inspection of cryptographic products and cryptographic applications involved in the cyberspace trust system, to ensure that cryptographic products and cryptographic applications meet the requirements, and to ensure that the trust system is constructed scientifically and reasonably. Through the testing and evaluation of related cryptographic infrastructure and various cryptographic applications in electronic certification, the cryptographic functions of electronic certification products and electronic certification systems have been optimized and improved, and the supply capabilities of products, services and support systems that integrate electronic certification services and passwords have been improved, and the network has been built Trust system The upstream and downstream industry chains collaborate to support the crypto ecosystem, actively build a crypto-led network trust system innovation chain and value chain, and serve the continuity, stability, and effectiveness of the network trust system, so that the whole society can enjoy it Safe and reliable trust service, smooth network interconnection.

3. Cryptographic services are the basic support for network trust services

Cryptographic service refers to the act of implementing cryptographic application functions and providing cryptographic protection based on cryptographic technology and products. It is a service that supports network trust services to provide identity authentication, authority management, responsibility determination, etc., to ensure the credibility of network identities, data sources and content Trustworthiness, the foundation of trustworthiness for all kinds of network behaviors. Judging from the present and a long period of time in the future, only by relying on services such as identity authentication, digital signature and verification based on cryptographic digital certificate services, can the authenticity of the identity of the network subject be guaranteed, and the authenticity, integrity and integrity of the data transmission interaction can be guaranteed. Non-repudiation, and only by realizing effective identity authentication, can the authorized behavior of network users be managed correctly, and the behavior of network users can be guaranteed to be credible, thereby clarifying behavioral responsibilities and clarifying the responsible subjects.

After nearly two decades of development, my country’s password-based electronic authentication service has achieved remarkable results, which has effectively promoted the healthy and orderly development of the electronic authentication service industry. Up to now, there have been 57 electronic authentication service institutions in China that have obtained electronic authentication password use licenses, 49 e-government electronic authentication service institutions, and nearly 20 national electronic authentication password service standards have been issued, such as SM3 password hash algorithm, SM2 Elliptic curve public key cryptographic algorithm and other algorithm standards, digital certificate authentication system cryptographic protocol specification, digital certificate format specification based on SM2 cryptographic algorithm, digital certificate interoperability detection specification, digital certificate-based identity authentication interface specification, certificate based on SM2 cryptographic algorithm Authentication system passwords and related safety technical specifications, certificate authentication system testing specifications, certificate authentication key management system testing specifications, etc. These standards cover all levels of cryptographic algorithms, electronic authentication infrastructure, certificate application interfaces, and authentication system testing, and effectively guide various electronic authentication service agencies to carry out authentication services and cryptographic applications. The application of cryptographic digital certificates has covered various fields of national economy and social management. The application of cryptographic digital certificates in important fields such as industry and commerce, taxation, social security, quality supervision, medical and health, public safety, customs and commerce, culture and education, transportation and communication, financial securities, electronic payment, etc. is very effective. It is transforming government functions and optimizing convenience for the people. It has played an important role in providing services for the people and protecting the legitimate rights and interests of organizations and individuals.

In the future, trust will play a pivotal role in the development of informatization. The development of the Internet of Things is inseparable from the identification of various smart terminals, the development of big data is inseparable from data source identification and ownership management, the application of blockchain cannot be separated from the establishment of trust between untrusted entities, and the application of cloud computing cannot be separated from the platform Reliability, credible data and credible behavior, the development of credible communications is inseparable from credible identity. The development of new technologies and applications is inseparable from the support of an advanced network trust system, and the foundation is to build an advanced cryptographic system as a support. Without the support of an advanced cryptographic system, trust services are like a tree without roots and water without a source. In the future, it is necessary to continue to implement a number of leading demonstration projects to accelerate the integration and application of passwords and other authentication technologies to build trust services that can adapt to the Internet of Things, big data, cloud computing, blockchain, trusted communications, digital currency, etc. The advanced digital trust system, and the large-scale application in important industries and important fields, especially in the key information infrastructure, important communication infrastructure, information systems above the third level of security, national government information systems and other important network information systems Comprehensively standardize and in-depth application, and continuously improve the autonomous controllability of my country’s cryptographic services and the capability of cryptographic security in cyberspace.

4. Future expectations

Passwords are the basic support for building a network trust system. The development of a password-based cyberspace trust system will empower the country’s informatization and information society construction, and help the high-quality development of my country’s digital economy. All parties involved in the “political, industry, university, research, and test” should work together to actively carry out cryptographic-based digital trust basic research, especially paying close attention to cryptographic issues such as cross-domain trust cryptography and trust evaluation under complex networks and business architectures; fully motivated The innovative application of passwords in the construction of modern digital trust systems, facing the new needs of intelligent and digital security development, to carry out research on a trust service system that combines advanced password authentication technology and diversified technologies suitable for the trust needs of different network environments and business scenarios. Accelerate the construction of digital trust management and service standards; face the needs of future development, and promote the fundamental, original, forward-looking theoretical innovation and technological breakthroughs of cryptography in the network trust system, in order to build a modern digital trust centered on supporting trusted identities Infrastructure provides solid support.

The Links:   CM600HA-5F AT070TN07-VB